OIDC exchanges a short-lived token for cloud credentials per run, so no static keys are stored — storing an access key in secrets is the approach OIDC replaces, an instance profile ties you to self-hosted infra, and embedding a token in the workflow is hardcoding a secret.
Official docs